I am running a powershell script to get AD users and their password expiration date. I would like to sort the output based on their password expiration date.
Here is the script:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname", #{
Name="ExpiryDate";
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}
} > result.txt
How can I sort/display the result by the ExpiryDate field?
Use the sort-object cmdlet on the Get-ADUser output like this:
| Sort-Object -property ExpiryDate
So the whole thing would look like this:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname", #{
Name="ExpiryDate";
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}
} |
Sort-Object -property ExpiryDate > result.txt
Related
I would like to get the actual date of accounts that have expired but still enabled in the active directory. I always get the date + 1 day. For example, if a user is expired today (15/11/2022), it will shows (16/11/2022)... Can you help me with this?
Get-ADUser -Filter * -properties AccountExpirationDate |
Where-Object{$_.AccountExpirationDate -lt (Get-Date) -and $_.AccountExpirationDate -ne $null -and $_.Enabled -eq $True} |
select-object Name, SamAccountName, AccountExpirationDate | Sort-Object -Property {$_.AccountExpirationDate} -Descending
I always like to include LDAP property accountExpires in there (PowerShell conveniently converts this to local time in Property AccountExpirationDate)
to first check if the attribute has never been set (value 0) or if the attribute for the user has been set to 'Never Expires' (value 9223372036854775807).
Try
$refDate = (Get-Date).Date # set to midnight
# or use -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"
Get-ADUser -Filter 'Enabled -eq $true' -Properties AccountExpirationDate, accountExpires |
Where-Object {($_.accountExpires -gt 0 -and $_.accountExpires -ne 9223372036854775807) -and
($_.AccountExpirationDate -le $refDate)} |
Select-Object Name, SamAccountName, AccountExpirationDate |
Sort-Object AccountExpirationDate -Descending
Thanks Theo, ive found what i was looking for
Get-ADUser -Filter 'Enabled -eq $true' -Properties AccountExpirationDate, accountExpires |
Where-Object {($_.accountExpires -gt 0 -and $_.accountExpires -ne 9223372036854775807) -and
($_.AccountExpirationDate -le $refDate)} |
Select-Object Name, SamAccountName, #{Name="AccountExpirationDate";Expression={(get-date $_.AccountExpirationDate).AddDays(-1)}} |
Sort-Object AccountExpirationDate -Descending
I found this Powershell line that returns a list of users and password expiry dates:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",#{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
I have tried to pipe the out put to:
Export-Csv -Path .\Passwrd.csv -NoTypeInformation
So now it looks like this:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",#{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | Export-Csv -Path .\Passwrd.csv -NoTypeInformation
This completes but the output file is empty.
Can anyone help please?
I have found this script that filters me the passwprdexpirydate of enabled accounts on AD.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
Select-Object -Property “Displayname”,#{Name=“ExpiryDate”;Expression{[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}}
It works fine but I would like to have it search just one specific AD account that I will type in. How do I accomplish that?
I would
This is one of those times where reading the documentation would answer your question, as the examples cover this question...
You can either replace the Filter for the Identity param:
Get-ADUser -Identity USERNAME
Or, update the filter:
Get-ADUser -Filter {Name -eq "USERNAME"}
Try something like this:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –
Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",#{Name="ExpiryDate";Expression=
{[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
Where-Object {$_.DisplayName -like "Username"}
I'm trying to stitch together two lines of PowerShell, but I just can't figure the syntax. There is a post that sounds like it might be what I need, but it isn't using -LDAPFilter.
To generate a list of AD users created in the last 100 days, I use
$now = ((Get-Date).AddDays(-100)).Date
$users = Get-ADUser -Filter {whenCreated -ge $now} -Searchbase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" |
Where-Object { $_.Enabled -eq 'True' }
And this code from "How to get ALL AD user groups (recursively) with Powershell or other tools?" does the next step, which is to find all the groups that a user is a member of:
$username = 'd.trump'
$dn = (Get-ADUser $username).DistinguishedName
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) |
select -Expand Name
but I can't pipe the output of the first into the second to get an overall list.
Get-ADUser -Filter {whenCreated -ge $now} -Searchbase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" |
Where-Object { $_.Enabled -eq 'True' } |
Select-Object DistinguishedName |
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_) |
select -expand Name
The error message is:
Get-ADGroup : The search filter cannot be recognized
I thought the second code snippet extracted the distingushed name and supplied it to the filter, and that is what I have tried to do in the pipeline.
You are missing ForEach-Object (alias %).
The following code should work:
Get-ADUser -Filter {whenCreated -ge $now} -SearchBase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" `
| Where-Object { $_.Enabled -eq 'True' } `
| %{Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_.DistinguishedName)} `
| Select-Object -ExpandProperty Name
If you want to output both user and group information you can expand the code like this:
Get-ADUser -Filter {whenCreated -ge $now} -SearchBase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" `
| Where-Object { $_.Enabled -eq 'True' } `
| %{$group = Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_.DistinguishedName);Write-Output $_.UserPrincipalName $group.Name}
I write a powershell command to return the samaccountname, and I kind of get what I want but not exactly.
PS C:\> (get-aduser -Server -f {(GivenName -eq "Nota") -and (Surname -eq "Realuser")} -Properties SamAccountName | select SamAccountName)
This is what I get:
SamAccountName
--------------
NRealuser
This is what I want:
NRealuser
So I want the samaccountname without the header.
You should try the ExpandProperty parameter that Select-Object offers.
(Get-ADUser -Server -f {(GivenName -eq "Nota") -and (Surname -eq "Realuser")} -Properties SamAccountName |
Select-Object -ExpandProperty SamAccountName)
You could also have skipped the Select-Object part and just retrieved the value of the property in the "normal way" like this:
(Get-ADUser -Server -f {(GivenName -eq "Nota") -and (Surname -eq "Realuser")} -Properties SamAccountName).SamAccountName